Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
credit card storage help
Author: Phillip Vector
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#308747
> P.S. Josheph, thanks for the kind words and I hope all worked out for you.
I'm still ashamed the way things went down.
Hey.. No worries. I call it like I see it and I know Shift4 is a great
company for people to use (heck, I helped a small section of it get
built, so I KNOW there's some serious security on
there).
Author: Steve Sommers
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#308745
Hi all,
Sorry I'm entering this thread a little late. I noticed some Shift4 references so
I decided to chime in.
You'll definately want to use some form or tokenization, whether ours or any
gateway you decide to use. One product I would like to mention that we offer is
i4Go. It is a tokenization piece that takes your entire site and server out of
PCI scope -- you are no longer handling card holder data (CHD) and this is what
PCI is concerned with. With i4Go you have full control of the transactions (one
time charge, recurring billing, two-click check out, etc.) and still never
directly handle CHD.
You most likely have decided on a solution by now but maybe others are facing the
same decision.
--Steve
P.S. Josheph, thanks for the kind words and I hope all worked out for you. I'm
still ashamed the way things went down.
Author: Ian Rutherford
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#306044
MSSQL has built in DES encryption now. It is very simple to implement.
Authorize.net has recurring billing that you can set up through their API so you
can avoid keeping the numbers yourself.
Author: Ian Rutherford
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#306043
----- Excess quoted text cut - see Original Post for more -----
Author: Eric Haskins
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#306009
Lookup PCI Compliance you will see the recommended practices. You can store
certain as long as you have data encrypted. As well as written policies that
detail it and how you handle key management. I am working on a 3DES solution
that will be alot cheaper than buying an nChiper or the likes for 25K.
Eric Haskins
----- Excess quoted text cut - see Original Post for more -----
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305993
So how do ISPs and other companies handle storing credit cards? I
get regularly charged by several companies, not all of whom would be
large enough to have dedicated IT departments. Are they storing
the card details and hoping for the best?
I know there are big billing companies who would be expected to have a
pretty serious security environment - Plimus comes to mind there - i
have 3 accounts for different vendors with them - but conducting a
monthly business that bills clients monthly would be impractical if
you couldnt store credit card numbers.
For my own hosting company, I keep credit card details in a totally
off-line system that never touches the internet. But without being
able to bill monthly, hosting would not be viable as a business. I
would like to have a much better arrangement - it's highly
inconvenient having to bill the cards the way we do. I'd like to be
able to automate it some how.
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
----- Excess quoted text cut - see Original Post for more -----
Author: Phillip Vector
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305962
When you talk to Shift4, tell them Joseph Bullock-Palser sent ya. If
they say who is that, tell them it's the developer they fired 3 days
before Christmas after he moved out to work for them.
Good company for security, Pain in the neck HR rep.
> so you're saying I shouldn't do it??? =) ok, you convinced me... I was
pretty nervous about doing that anyway... looks like shift4 will do what I need
anyway.
>
> and for those of you in a similar situation, i would NOT recommend
cardservice international for anything even vaguely large-scale. not got at
all...
>
> thanks for the advice about saving data as separate encrypted fields... I
really don't have any choice but to collect some sensitive info so I will employ
that technique... even if the data will only be on the database for a max of 20
min, i'm not taking
chances!
Author: Jessica Kennedy
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305961
so you're saying I shouldn't do it??? =) ok, you convinced me... I was pretty
nervous about doing that anyway... looks like shift4 will do what I need anyway.
and for those of you in a similar situation, i would NOT recommend cardservice
international for anything even vaguely large-scale. not got at all...
thanks for the advice about saving data as separate encrypted fields... I really
don't have any choice but to collect some sensitive info so I will employ that
technique... even if the data will only be on the database for a max of 20 min,
i'm not taking chances!
Author: Eric Haskins
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305948
Alot if online merchants and offline merchants store your cards. The trick
is the encryption. PCI allows for storage but you would need to have some
sort of solution for key management and encrypt.
Some examples of appliances for this is NChiper
http://ncipher.com/products/hardware_security_modules/10/nethsm/
I have done some projects with these in the past they are $$$ and you would
need atleast 2 incase one fails.
I am working a cheaper solution smaller scale solution. For the people that
cant afford 25K each LOL
Eric Haskins
On Fri, May 23, 2008 at 8:57 AM, Matthew Sievert <
Matthew.Sievert@minacs.adityabirla.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Matthew Sievert
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305946
Oh man,
("What copany is this for?")
You guys are too funny.
Serioulsy,
I wouldn't get anywhere near credit card numbers. I did for one project
and it scared the crap out of me.
Let someone else worry about the entire process. Even if it costs the
client a bit more.
Sounds like a management problem then actually..
You may want to check out Shift4. They are pretty cheap and are pretty
reliable. I used to work for them and trust me.. Security is #1 for
them.
If not, then you need to get on the phone with them and complain that
they are assisting with fraud or whatever else you can come up with.
That becomes a problem with the company.
Either that, or store the cards on your site, encrypt them and hope for
the best. I'd get in print someplace that your managers know they are
taking a risk though and it's not your fault if you get hacked and all
the credit card numbers are gone.
So... What company is this again? :)
On Thu, May 22, 2008 at 12:40 PM, Jessica Kennedy
<police_kidnapped_your_children@yahoo.com> wrote:
> Cardservice international... they store partial card #'s for reference
if I am not mistaken...
>
> they have a reoccurring billing feature on their website, the only
problem is that once a person is entered into the reoccurring cycle,
they will run the person's credit card over and over and stick us with
the fees regardless of how obvious it is the card is going to decline.
>
>
Author: mac jordan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305942
----- Excess quoted text cut - see Original Post for more -----
I wouldn't take the responsibility myself - when I had to do this for a
client, I passed the whole card processing and so forth over to WorldPay,
and just used their API to do the callback and so forth.
--
mac jordan
www.webhorus.net
www.nibblous.com
www.kestrel.org
www.jordan-cats.org
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305939
> You may want to check out Shift4. They are pretty cheap and are
> pretty
> reliable. I used to work for them and trust me.. Security is #1 for
> them.
There's another good reason to look at Shift4. They have a tokenization
technology in place which allows you to save a "token" that links to that credit
card information on their system without actually saving the card data yourself.
This is particularly ideal for recurring transactions where you need to be able
to rebill the same card but don't want the liability of saving card data.
--- Mary Jo
Author: Phillip Vector
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305933
Well, at least you can go back to your boss and tell him that you
didn't find a single person who says you should store it. :)
On Thu, May 22, 2008 at 4:19 PM, Brian Kotek <brian428@gmail.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Brian Kotek
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305932
You're opening yourself up to huge potential liability if anyone ever steals
these numbers. Basically, don't.
http://usa.visa.com/merchants/risk_management/cisp.html
On Thu, May 22, 2008 at 2:50 PM, Jessica Kennedy <
police_kidnapped_your_children@yahoo.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Les Mizzell
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305931
Jessica Kennedy wrote:
> I need some help finding a secure way to store credit cards on a website I
am working on.
1. Don't
2. No really, don't
I've had to do it once. I wasn't happy about it. I made the client sign
a waiver saying that I was in *no* way responsible if anything ever
happened and the server was compromised.
It still scared the hell out of me, so I had to be devious in the storage.
I set up 6 fields in the database. I *split* the card numbers up into
six different "chunks", merged each one of those chunks back into 6
legit looking card numbers, and then encrypted, using different
encryption methods for each field, them all into the six fields. I
figured the chances of somebody comprising the database, un-encrypting
all six fields, and then figuring out which part of each number needing
to be combined together into the real number was pretty slim...
Paranoid? Oh yea...
Better than nothing ...
But hey, DON'T.
Seriously.
Author: Phillip Vector
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305920
Sounds like a management problem then actually..
You may want to check out Shift4. They are pretty cheap and are pretty
reliable. I used to work for them and trust me.. Security is #1 for
them.
If not, then you need to get on the phone with them and complain that
they are assisting with fraud or whatever else you can come up with.
That becomes a problem with the company.
Either that, or store the cards on your site, encrypt them and hope
for the best. I'd get in print someplace that your managers know they
are taking a risk though and it's not your fault if you get hacked and
all the credit card numbers are gone.
So... What company is this again? :)
On Thu, May 22, 2008 at 12:40 PM, Jessica Kennedy
<police_kidnapped_your_children@yahoo.com> wrote:
> Cardservice international... they store partial card #'s for reference if I
am not mistaken...
>
> they have a reoccurring billing feature on their website, the only problem
is that once a person is entered into the reoccurring cycle, they will run the
person's credit card over and over and stick us with the fees regardless of how
obvious it is the card is going to
decline.
Author: Jessica Kennedy
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305918
Cardservice international... they store partial card #'s for reference if I am
not mistaken...
they have a reoccurring billing feature on their website, the only problem is
that once a person is entered into the reoccurring cycle, they will run the
person's credit card over and over and stick us with the fees regardless of how
obvious it is the card is going to decline.
Author: Phillip Vector
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305916
That's pretty much it I would think... Encrypted sounds like the only
way to do it (and that's not that secure).
Can your payment processor handle the storage of your cards?
If not, what is the name of the company so I know never to use it. :)
On Thu, May 22, 2008 at 11:50 AM, Jessica Kennedy
<police_kidnapped_your_children@yahoo.com> wrote:
> I need some help finding a secure way to store credit cards on a website I
am working on. I know, I know you shouldn't do it unless you absolutely MUST,
but it looks like I absolutely must, sad to say. I have to set up reoccurring
payments with credit cards that will notify the user if their card is declined
and lock them out of certain website features as well. Coding the above is not a
problem, I am just very nervous about keeping credit card information on anyone.
>
> I know the card #'s need to be stored encrypted, but that's still a pretty
broad range of options... any help would be much
appreciated!
Author: Jessica Kennedy
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:56502#305914
I need some help finding a secure way to store credit cards on a website I am
working on. I know, I know you shouldn't do it unless you absolutely MUST, but
it looks like I absolutely must, sad to say. I have to set up reoccurring
payments with credit cards that will notify the user if their card is declined
and lock them out of certain website features as well. Coding the above is not a
problem, I am just very nervous about keeping credit card information on anyone.
I know the card #'s need to be stored encrypted, but that's still a pretty broad
range of options... any help would be much appreciated!
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
